HB16-1423: Student Data Collection Use Security

Bill Number: HB16-1423

Year: 2016

ACLU Position: Support

Sponsors: A. Garnett / P. Lundeen / O. Hill

Description:

The bill adds to the existing laws pertaining to student data
security by adopting additional duties that the state board of education
(state board), department of education (department), and school districts,
boards of cooperative services, and charter schools (LEPs) must comply
with to increase the transparency and security of the student personally
identifiable information (student PII) that the department and the LEPs
collect and maintain. The bill imposes duties on the commercial entities
that provide school services by formal contract with the department or an
LEP (contract providers) and the commercial entities that an LEP or
employees of an LEP choose to use without entering in a formal,
negotiated contract (on-demand providers).Applicability of bill. For provider contracts and research
agreements that the department enters into or renews on or after the
effective date of the bill, the department must ensure that the contract or
agreement includes the restrictions and requirements pertaining to student
PII and must terminate the contract or agreement if the contract provider
or researcher commits a material breach of the contract involving the
misuse or unauthorized release of student PII. For provider contracts that
an LEP enters into or renews on or after the effective date of the bill, the
LEP must ensure that the contract includes the restrictions and
requirements pertaining to student PII and, if the contract provider
commits a material breach of the contract involving the misuse or
unauthorized release of student PII, must either terminate the contract or
hold a public meeting to discuss the nature of the material breach and
decide whether to terminate the contract.State board duties. Under existing law, the state board has several
duties with regard to the student PII that the department collects from
LEPs. These duties include explaining the types of student PII the
department collects and creating policies to protect the collected student
PII. The bill does not substantively change the duties of the state board,
except to require the state board to ensure that an organization that
conducts research for the department is subject to the same requirements
and restrictions imposed on contract providers.Department duties. Under existing law, the department has
several duties with regard to the student PII that the department collects
from LEPs. The bill adds to these duties by requiring the department,
before it releases student PII to a person or entity that is conducting
research, to enter into an agreement with the researcher that includes the
same requirements and restrictions that are included in a contract with a
contract provider. The department also must maintain on its website a
detailed list of the vendors, researchers, researcher organizations, and
government agencies with which it has agreements for the release of
student PII.
The bill requires the department to create a sample student
information privacy and protection policy and sample school service
provider contract language that LEPs may choose to use. The department
must make training materials and, upon request, training services,
available to LEPs for training employees with regard to student
information security and privacy.LEP duties. The bill requires each LEP to post on its website a list
of the student PII that the LEP collects and maintains in addition to the
student PII that the LEP submits to the department. Each local education
provider must post on its website a list, to the extent practicable, of the
on-demand providers that the LEP or an employee of the LEP uses. The
LEP must update the list twice each school year. If the LEP has evidence
demonstrating that an on-demand provider does not comply with its own
privacy policy or does not meet the requirements and restrictions imposed
on contract providers, the LEP is encouraged to stop using the on-demand
provider. The LEP must notify the on-demand provider, and the
on-demand provider may submit a written statement. The LEP must
publish on its website a list of the on-demand providers that it stops using,
with any written statements it receives, and notify the department when
it stops using an on-demand provider for privacy reasons. The department
must post on its website a list of the on-demand providers that LEPs stop
using for privacy reasons and any written statements from on-demand
providers.
Each LEP must adopt a student information privacy and protection
policy, make copies available to parents upon request, and post the policy
on its website.Contract provider duties. Each contract provider must provide
clear information concerning the student PII it collects and how it uses
and shares the student PII. The contract provider must provide the
information to the department and each LEP (public education entity)
with which it contracts and post the information on its website. Each
contract provider must help an LEP access and correct any factually
inaccurate student PII that the contract provider holds. A contract
provider may collect and use student PII only for the purposes authorized
by the contract and must obtain parental consent to use a student’s data in
a manner that is inconsistent with the contract.
A contract provider cannot sell student PII; use or share student PII
for use in targeted advertising; or use student PII to create a profile,
except for purposes authorized by the contracting public education entity
or with parental consent. A contract provider may use student PII for
specified purposes. A contract provider may share student PII with a
subcontractor, and a subcontractor may share with a subsequent
subcontractor, only if the subcontractor or subsequent subcontractor is,
by contract, subject to the restrictions and limitations imposed on the
contract provider. If a subcontractor commits a material breach that
involves the misuse or unauthorized release of student PII, the public
education entity must terminate the contract with the contract provider
unless the contract provider terminates the contract with the
subcontractor.
Each contract provider must maintain a comprehensive
information security program and must destroy student PII at the request
of a contracting public education entity, unless the student’s parent
consents to retaining the student PII or the student has transferred to
another public education entity that requests retention of the student PII.
Each contract provider must destroy all student PII in accordance with the
terms of the contract.
The bill describes some ways in which a contract provider may use
student PII that are exceptions to the restrictions in the bill.Parents’ rights. The bill recognizes a parent’s right to inspect and
review his or her child’s student PII; to request a paper or electronic copy
of his or her child’s student PII; and to request corrections to factually
inaccurate student PII that an LEP maintains.
The governing board of each LEP must adopt a policy for hearing
complaints from parents concerning the LEP’s compliance with the bill.